Skip to content

[RELEASE NOTES + DOCS] CLI tunnel feature should use all tunnel servers #3950

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Nov 14, 2025
Merged

[RELEASE NOTES + DOCS] CLI tunnel feature should use all tunnel servers #3950

merged 1 commit into from
Nov 14, 2025

Conversation

@jackkleeman
Copy link
Contributor

@jackkleeman jackkleeman commented Nov 5, 2025

Currently the CLI tunnel is a bit of a special case. It talks to only a single tunnel server eg :19082, which it is assigned randomly after first hitting 19080, and it then asks users to register a tunnel url that has a particular port, like tunnel://foo:9082 which means their restate env will hit the same tunnel server. This means that on the infra side, we have to maintain the ability for restate to hit a particular tunnel server using a port and a dns name, and this is potentially cross zone, which is not desirable. Instead, the cli should talk to all the tunnel servers (as discovered from the srv record eg tunnel.us.restate.cloud, and the restate environment should talk to its zone local tunnel servers to try and find a connection. This behaviour matches the standalone tunnel client that people run in their clusters. In the CLI we have a slightly simplified client however, as we do not handle tunnel draining mechanism and we don't handle the srv record changing.

In addition, the tunnel:// urls that map to a single local port are confusing. Instead we move to a generic local proxy approach, where you can register any url, providing --tunnel-name to specify that it should go through the tunnel for your environment. This will unify CLI + standalone tunnels, so that users don't have to build the tunnel url themselves.

eg:

restate cloud env tunnel --tunnel-name foo
restate dp register --tunnel-name foo http://localhost:9080
# you can even proxy to external urls
restate dp register --tunnel-name foo https://my-worker.workers.dev

Summary of changes:

  • We have to generate tunnel names client side, as we need to reach out to all tunnel servers simultaneously so it is tricky to let the server generate it
  • Resolve srv and connect to all tunnel servers
  • Generic forward proxy based on incoming url, matching standalone tunnel client
  • Change register command to accept normal urls + --tunnel-name
  • Get proxy base url at registration time from describe environment response, not local config so that we have more flexibility eg for byoc clusters

jackkleeman
jackkleeman commented Nov 5, 2025
View reviewed changes
crates/cloud-tunnel-client/src/util.rs
use bytes::{BufMut, BytesMut};
use http::Uri;

pub fn parse_tunnel_destination(
Copy link
Contributor Author

@jackkleeman jackkleeman Nov 5, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this has been copied over verbatim from the standalone tunnel client

jackkleeman
jackkleeman commented Nov 5, 2025
View reviewed changes
cli/src/commands/cloud/environments/tunnel/local.rs
futures.next().await.unwrap()
}

fn do_proxy(
Copy link
Contributor Author

@jackkleeman jackkleeman Nov 5, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this proxy logic is very similar to what we use in the standalone tunnel client

@jackkleeman jackkleeman requested a review from pcholakov November 5, 2025 10:37
@jackkleeman jackkleeman force-pushed the jk/pntxtmtszsxn branch 2 times, most recently from 596158a to fc8ff90 Compare November 5, 2025 10:46
@github-actions
Copy link

github-actions bot commented Nov 5, 2025
edited
Loading

Test Results

 5 files   -   2   5 suites   - 2   1m 18s ⏱️ - 1m 18s
34 tests  -  13  34 ✅  -  13  0 💤 ±0  0 ❌ ±0 
52 runs   - 148  52 ✅  - 148  0 💤 ±0  0 ❌ ±0 

Results for commit c693d98. ± Comparison against base commit 3369991.

This pull request removes 47 and adds 34 tests. Note that renamed tests count towards both. 
dev.restate.sdktesting.tests.CallOrdering ‑ ordering(boolean[], Client)[1]
dev.restate.sdktesting.tests.CallOrdering ‑ ordering(boolean[], Client)[2]
dev.restate.sdktesting.tests.CallOrdering ‑ ordering(boolean[], Client)[3]
dev.restate.sdktesting.tests.Cancellation ‑ cancelFromAdminAPI(BlockingOperation, Client, URI)[1]
dev.restate.sdktesting.tests.Cancellation ‑ cancelFromAdminAPI(BlockingOperation, Client, URI)[2]
dev.restate.sdktesting.tests.Cancellation ‑ cancelFromAdminAPI(BlockingOperation, Client, URI)[3]
dev.restate.sdktesting.tests.Cancellation ‑ cancelFromContext(BlockingOperation, Client)[1]
dev.restate.sdktesting.tests.Cancellation ‑ cancelFromContext(BlockingOperation, Client)[2]
dev.restate.sdktesting.tests.Cancellation ‑ cancelFromContext(BlockingOperation, Client)[3]
dev.restate.sdktesting.tests.Combinators ‑ awakeableOrTimeoutUsingAwakeableTimeoutCommand(Client)
…

dev.restate.sdktesting.tests.AwakeableIngressEndpointTest ‑ completeWithFailure(Client)
dev.restate.sdktesting.tests.AwakeableIngressEndpointTest ‑ completeWithSuccess(Client)
dev.restate.sdktesting.tests.BackwardCompatibilityTest$NewVersion ‑ completeAwakeable(Client)
dev.restate.sdktesting.tests.BackwardCompatibilityTest$NewVersion ‑ completeRetryableOperation(Client)
dev.restate.sdktesting.tests.BackwardCompatibilityTest$NewVersion ‑ proxyCallShouldBeDone(Client)
dev.restate.sdktesting.tests.BackwardCompatibilityTest$NewVersion ‑ proxyOneWayCallShouldBeDone(Client)
dev.restate.sdktesting.tests.BackwardCompatibilityTest$OldVersion ‑ createAwakeable(Client)
dev.restate.sdktesting.tests.BackwardCompatibilityTest$OldVersion ‑ startOneWayProxyCall(Client)
dev.restate.sdktesting.tests.BackwardCompatibilityTest$OldVersion ‑ startProxyCall(Client)
dev.restate.sdktesting.tests.BackwardCompatibilityTest$OldVersion ‑ startRetryableOperation(Client)
…

♻️ This comment has been updated with latest results.

pcholakov
pcholakov reviewed Nov 13, 2025
View reviewed changes
cli/src/commands/deployments/register.rs
}
DeploymentEndpoint::Uri(uri) if uri.scheme_str() == Some("tunnel") => {
return Err(anyhow::anyhow!(
"tunnel:// URLs are no longer supported; instead use the destination URL and --tunnel-name"
Copy link
Contributor

@pcholakov pcholakov Nov 13, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice!

pcholakov
pcholakov approved these changes Nov 14, 2025
View reviewed changes
Copy link
Contributor

@pcholakov pcholakov left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @jackkleeman, this looks great! It looks this improves on HTTP version handling too.

Sorry for the slow turnaround on this!

@jackkleeman jackkleeman merged commit 0604dac into main Nov 14, 2025
28 checks passed
@jackkleeman jackkleeman deleted the jk/pntxtmtszsxn branch November 14, 2025 10:52
@github-actions github-actions bot locked and limited conversation to collaborators Nov 14, 2025
@jackkleeman jackkleeman changed the title CLI tunnel feature should use all tunnel servers [RELEASE NOTES + DOCS] CLI tunnel feature should use all tunnel servers Nov 14, 2025
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@pcholakov pcholakov pcholakov approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@jackkleeman @pcholakov